►
From YouTube: OpenShift Commons Gathering 2019 Santa Clara State of Container Security Urvashi Mohani
Description
OpenShift Commons Gathering 2019
Santa Clara
State of Container Security
Urvashi Mohani and Mrunal Patel
A
A
Before
we
talk
about
container
security,
let's
go
through
what
makes
up
a
container,
so
everyone
should
be
familiar,
but
just
to
set
up
the
stage
so
first,
first
of
all,
you
need
a
no
CI
image,
bundle
definition
so
with
OC,
IV
or
standardized
what
makes
up
an
image
and
how
they
are
stored
up
in
a
registry.
So
basically
it's
a
tarball
with
JSON
storing
the
configuration
for
the
image.
So
once
you
have
these
images
on
a
registry,
what
do
you
need
to
pull
them
down?
A
So
we
created
this
library
called
containers
image
and
with
this
library
you
are
able
to
pull
down
images
from
any
container
registry
that
is
compatible
with
docker
and
OCI
and
you're
able
to
move
your
images
onto
your
node.
Then
next
you
get
all
these
layers
on
your
node,
so
you
have
to
explore
them
into
a
copy
or
and
write
file
systems.
A
So
you
get
a
root
filesystem
for
your
container
and
for
that
we
have
a
library
called
container
storage,
no
weighted
container
storage
come
from
so
Red
Hat
had
been
involved
in
docker
from
the
beginning,
and
we've
contributed
a
bunch
of
drivers
to
that
library.
So
this
was
extracted
from
the
work
we
did
there,
basically
getting
all
the
way
all
the
drivers
like
overlay
device,
mapper,
au,
FS,
butter
of
s
and
so
on.
A
So
this
is
what
your
copy-on-write
file
system
looks
like
for
a
container.
So
whenever
you
do
a
like
a
from
fedora
or
from
Ubuntu,
and
then
you
add,
run
instructions
at
the
bottom,
you
have
layers
that
are
shared
between
all
the
containers
and
these
are
read-only.
So
that
way,
each
container
is
not
getting
duplicate
copies
of
the
layers
and
they
just
have
their
own
top
readwrite
lair.
So
now
moving
on
to
why?
B
Okay,
so
now
that
we
know
what
containers
are
and
what
all
you
need
to
run
your
containers,
we
can
break
down
the
continue
to
tool
chain
into
actually
four
different
categories.
These
are
one
building,
your
container
images
to
fling
around
and
testing
with
your
containers
locally,
three,
storing
and
sharing
your
container
images,
for
example,
moving
them
from
your
host
system
to
remote
registry
and
finally,
for
running
your
containers
in
production
clusters
such
as
kubernetes
or
OpenShift,
and
we
believe
that
each
of
these
categories
have
different
security
requirements.
B
For
example,
you
don't
need,
as
many
permissions
to
run
your
containers
in
a
production
cluster
as
you
need
to
build
the
container
images.
So
now
you
can
imagine
what
would
happen
if
you
had
all
these
functions
in
one
single
tool.
We
would
end
up
with
the
least
common
denominator
when
it
comes
to
security,
since
production
cluster
doesn't
need
as
much
but
welding
process
needs
more.
So
let
me
look
at
the
UNIX
philosophy.
B
It
states
that
you
should
design
programs
to
do
one
thing
to
do
it
really
well
and
to
work
well
with
other
programs,
and,
as
you
can
see
here,
the
UNIX
founders
are
pretty
happy
that
we
followed
that
and
created
a
tool
for
each
of
these
categories.
I
mentioned
before
these
are
builder
obviously
stands
for:
building
container
images,
pod
man,
it's
a
CLI
tool.
B
You
can
use
to
test
your
containers,
locally
scope,
you
for
storing
and
sharing
these
containers
and,
finally
cryo
a
container
a
runtime
interface
for
running
these
containers
in
a
production
cluster
and
now
we'll
just
go
through
each
of
these
tools
and
what
security
features
they
have
to
offer
for
your
continued
workloads.
So
the
first
step
in
your
container
workload
is
building
the
container
image,
and
actually
you
can
see
there.
That's
the
cute
boss,
interior
that
Diane
mentioned
before.
B
That
builder
has
so
the
first
thing
that
comes
to
mind
when
building
your
container
images
is
actually
the
two
things
you
should
keep
in
mind.
That
is
one.
How
do
I
build?
How
do
I
create
secure
images
and
two?
How
do
I
do
the
build
process
in
a
secure
fashion?
So,
for
the
first
thing,
how
do
I
create
secure
images
is
the
for
you?
You
want
to
think
about
minimal
images.
Basically,
the
more
you
have
baked
in
your
image,
there's
a
more
risk
of
something
going
wrong.
B
You
do
not
want
to
have
a
package
manager
in
your
image.
For
example,
you
want
to
do
all
your
building
and
installing
outside
of
the
container
on
your
host
and
then
come
with
the
products
until
your
container
image.
This
way,
you
have
exactly
what
you
need
in
your
continued
image
and
you're
shrinking
your
attack
surface
and
build
I'll.
Let
you
do
that
with
minimal
images
for
the
second
step,
how
do
I
build
these
container
images
in
a
secure
fashion?
You
can
run
builder
inside
a
container,
so
you're
isolating
your
build
process
from
your
host.
B
A
B
Won't
be
able
to
cause
any
harm
on
your
host
and
actually
an
open
shift.
4.0
we're
going
to
be
using
builder
for
all
the
source
image
builds
we
do
and
yeah
and,
as
you
would
see
with
our
other
tools
here,
like
part
man
and
scope,
you
you
can
run
builder
with
that
with
privileges
emphasizing
on.
Please
run
your
containers
without
your
images,
so
yeah
we
have
a
bunch
of
demos
for
you
here.
Evernote
is
gonna,
stand
here
and
blabber
blob
or
at
you
switching
to
demos.
A
B
B
Yes,
builder
has
a
Michael
builder
from
scratch
and
what
this
does?
It
creates
an
empty
container.
So
it
gives
you
the
whole
scaffolding
of
what
you
need
for
continued,
but
zero
content
in
it,
and
now
you
can
go
and
add
everything
you
need
inside
it.
So
I
did
the
Builder
from
scratch.
There
then
I'm
on
that
to
get
the
file
system
and
then
using
my
host
package
manager,
DNF
I'm
installing
I,
just
want
busybox
inside
this
I'm
installing
busybox
in
there,
and
that's
what
this
whole
long
thing
did
there
and
now.
B
B
A
B
Here's
all
I
have
in
that
image
is
busy
box.
Let's
try
Python
yeah
that
feels
again,
so
I
literally
just
installed
busy
box
in
there
and
that's
the
only
thing
that
you'll
get
when
you
run
things
that
contain
your
image
and
as
you
can
see,
that's
the
health
menu
for
busy
box.
So
yeah
reduce
your
attack.
Surface
crave,
minimal
images.
B
So
now,
I
can
use
another
container
to
like
wad
man
and
run
this
image
and
actually
do
my
book
process
inside
it
that
the
second
docker
file
is
a
simple
to
Aqua
file,
I'm,
just
showing
that
I'm
going
to
build
right
now
and
I
know
that
command
for
pod
man,
one
looks
pretty
intimidating,
but
all
I'm
doing
is
buying
mounting
volumes,
and
so
I
can
access
the
docker
file
and
access
the
images
that
are
built
inside
my
container.
So
let's
do
that
pretty
simple
build
there.
B
I
tend
to
like
to
test
it
locally
to
make
sure
it
has
everything
I
needed
to
have
and
works
the
way
it's
intended
to
work,
and
for
that
we
have
pod
man.
What
pointman
actually
stands
for
his
pod
manager,
because
you
can
do
everything
from
doing
builds
as
well
as
creating
running
containers
and
pods
locally
pod.
One
actually
use
builder
under
the
hood
to
do,
builds
using
docker
file
and
thank
back
to
our
UNIX
philosophy.
Make
programs
do
one
thing
and
work
well
together.
B
So
with
pod
man,
as
I
mentioned
with
builder
before
you
can
run
it
without
with
privileges.
This
way
admins
can
get
away
without
giving
access
to
the
developers
without
giving
you
a
privilege
to
that
root,
access
to
the
developers
and
a
really
cool
added
advantage
of
this.
Is
you
get
compartmentalization,
so
multiple
users
can
have
their
own
containers
and
images
on
the
host
and
won't
have
access
to
each
other's
yeah
and
then
the
next
thing
is
part
man
takes
advantage
of
user
namespaces.
B
So
you
can
you
have
isolation
between
your
hosts
in
your
container,
as
well
as
between
multiple
containers
using
pod
mats.
So,
if
container
a
breaks
out
a
processor
from
printing
a
breaks
out
and
tries
to
attack
container
B,
it
won't
be
able
to
because
you'll
be
running
in
their
own
user
name.
Space
and
pod
man
is
a
true
fork,
exact
model.
What
this
means
is
that
all
the
child
processes
afford
man
inherit
the
login
new
ID
of
the
user,
that
invoked
the
pod
man
command,
and
this
is
very
healthy
when
it
comes
to
auditing.
B
B
Mind
command
anymore
I'm
listing
the
images
I
have
that
I
pulled
when
we
without
using
do
it
for
Padma
and,
as
you
can
see,
I
have
two
images
there
now
to
prove
to
you
that
it's
separate
from
the
one
with
root
you
can
see
that
root
has
so
many
that
they're
so
they're
in
different
locations.
So
when
you're
doing
ruthless,
Bodmin
creates
all
your
containers
and
stores
your
images
and
the
user's
home
directory.
B
Hence,
going
back
to
the
compartmentalization
at
every
user
would
have
their
stuff
in
their
own
home
directory
so
yeah
and
to
show
you
that
inside
the
container
it's
rude
but
on
the
host
it's
UID
thousand.
So
that's
how
odd
man
does
a
ruthless
stuff.
Basically,
it's
a
fooling
poor
demented
thing
that
they're
running
as
root
using
UID
mapping
and
I'm
gonna
show
that
here
so
every
Linux
modern
Linux
system
has
this
file
called
at
C
sub
UID
now
and
as
what
it
does
it.
B
B
Okay,
so
let's
look
at
what
the
directory
I'm
in
right
now
and
that
shows
a
bunch
of
files
that
I
have
there
and
you
can
see
the
owners
of
those
files.
You
can
see
only
one
of
them,
the
third
one
from
the
top
is
owned
by
root.
Everything
is
owned
by
the
user.
That's
logged
in
right
now!
So
let's
do
a
build
on
share.
What
build
on
share
does
it
takes
your
account
and
put
it
in
a
user
name
space?
B
It
does
the
UID
mapping
for
you,
so
it
Maps
UID
0
in
the
user
name
space
to
your
login,
your
idea
and
the
host,
which
is
thousand
right
now
and
then
it
Maps.
It
creates
a
UID
map
for
everything.
From
hundred
thousand
hundred
out,
sorry
that
your
ID
math,
you
see
him
cat
at
C,
sub
UID.
It
does
that
mapping
for
you
from
UID
one
in
the
container
two
hundred
thousand
on
the
host
and
does
it
for
the
next
sixty
five
thousand
five
hundred
you
IDs.
B
B
Sixty
five
thousand
five
hundred
you
I
DS,
so
I
sign
my
username
space
on
my
container
I
can
create
files
one
by
two
three
four
and
we
respectively
be
owned
by
a
hundred
thousand
one
hundred
thousand
two
hundred
thousand
three
on
the
host,
so
you're
at
you're,
creating
like
an
isolation
between
your
host
and
your
container
here
so
like
so
that
username
space,
but
with
pod
man.
You
can
actually
do
this
for
multiple
containers
as
well.
You
can
add
extra
layers
of
isolation
between
containers
and
you
can
do
that,
but
the
damn
what
happened
there?
B
So
the
second
when
I
be
creating,
would
be
0
in
the
container
200,000
a
host
and,
as
I
mentioned
before,
if
container
a
tries
to
break
out
of
if
a
process
from
container
a
breaks
out
and
tries
to
attack
container
B,
it
won't
be
able
to,
because
on
the
host
container,
a
is
hundred
thousand
on
and
B
is
200,000,
so
different
permissions,
so
there's
actually
of
isolations
and
then
as
support.
One
is
a
true
fork,
exact
model.
B
Well,
you
can
see
what
login
you
I
do
you
have
on
the
system
by
carrying
props
off
login
your
ID
and
its
thousand
right
now
the
logon
Eid
stays
same
regardless
of
how
many
times
you
log
into
the
system.
It's
attached
to
what
your
username
is
so
well,
the
true
for
cakes
like
model
with
Padma
and
when
I
run
a
container
and
a
cat
that
same
file
inside
the
container.
B
You
would
see
its
thousand
because
the
child
process
inherits
the
parent
process,
login
UID,
and
let's
try
that
with
another
container
to
like
doc
word,
which
is
a
client-server
model
instead,
and
you
will
see
that
huge
number
there.
Basically,
it's
the
docker
demon
and
the
user.
Your
ID
was
never
said.
The
longing
ID
is
not
set
so
yeah.
B
That's
what
you
have
now.
Let's
run
this
joint
audit
control
on
Etsy
shadow,
it's
a
pretty
it's
pretty
important
file
and
now,
let's
say
I,
run
a
privileged
container
and
I
mount.
My
host
and
I
want
to
do
something
shady
with
that
at
see
shadow
file.
So
it's
pod
man
once
you
do
that,
and
you
looks
with
the
audit
logs.
You
can
actually
see
who
try
to
do
that.
B
You
can
see
that
we're
now
P
there
try
to
just
do
some
changes
to
Etsy
shadow
file,
but
now,
if
we
try
it
with
docker,
for
example,
and
do
the
same
thing,
the
UID
is
unset,
because
that's
the
daughter
diamond
that
you
don't
know
who
did
that.
So,
in
terms
of
security,
this
is
pretty
cool
because
you
can
audit
your
system
and
see
who's
trying
to
do
shady
stuff,
and
that
was
with
part
man.
B
So
before
I
move
on
to
the
next
thing,
I
just
want
to
mention
someone's,
probably
wondering
if
I
can
do,
builds
with
Bodmin.
Then,
what's
the
purpose
of
builder,
so
part
man
was
essentially
designed
for
users
who
wanted
to
come
and
use
our
tools
to
be
able
to
not
have
to
relearn
the
whole
tool.
So
you
should
replicate
the
doctor
CLI
basically,
and
we
have
building
with
docker
files
in
docker
CLI.
It's
appointment,
build
that's
what
Portman
build.
Does
it
invokes
builder
bud,
which
is
which
stands
for
build
using
docker
file?
B
But
if
you
want
to
create
minimal
images-
and
you
want
to
build
using
a
bash
script
and
all
you
have
to
do
that
and
build
a
build,
is
specifically
designed
for
the
build
process
and
creating
OCI
images.
So
now
we've
done
the
first
two
steps.
We
have
created
a
container
image,
we're
satisfied
with
what
it
does
and
now
we
want
to
share
it
to
registries
and
to
other
people.
Scorpio
actually
stands
for
remote
viewing
and
was
initially
designed.
B
So
users
can
view
what
can
get
like
the
information
of
a
remote
image
without
having
to
download
it
locally.
So
they
can
hit
that
register
and
be
like
I
want
to
see
what
this
Fedora
images
and
see
all
the
tags
it
has.
Who
maintain
it
maintains
it,
what
the
layers
it
has
so
it
you
can
inspect
him.
What
images
it
was
designing.
The
like
download,
random
stuff
off
the
internet
check
what
you're
getting
first
as
well
as
the
fact
that
people
were
downloading
huge
images
and
realizing.
B
This
is
not
what
they
wanted
and
had
to
sit
through
another
hole
down
the
process.
We
decided
to
explore
you
a
step
further
and
allow
users
to
move
images
between
environments
pretty
easily.
So
let's
say
you
created
an
image
locally.
You
push
it
to
your
private
registry,
and
now
you
want
it
on
your
external
registry,
but
you
don't
have
it
locally
anymore,
but
scope.
You
can
easily
transfer
it
over
without
having
to
download
it
back
onto
your
host
system.
B
This
is
what
the
scope-
your
command
line,
looks
like
it's
pretty
simple,
to
use
mainly
for
moving
images
around
inspecting
them,
and
you
can
also
pass
in
your
credentials
if
you're
using
private
registries,
let's
do
an
inspect
on
the
Fedora
image
that
lives
in
the
docker
registry.
Right
now
and
as
you
can
see,
it's
a
JSON,
it
tells
you
the
digest
all
the
repos
you
have
there
who
maintain
areas
the
layers
and
also
just
gives
you
good
information
of
what
you're
about
to
get,
and
you
can
also
inspect
this
and
see
that.
B
Oh,
you
want
a
specific
tag
that
you
didn't
know
like
you
couldn't
remember
the
name
off.
So
if
I
was
like
I
wanted
a
tag
that
was
like
hiding
something
and
then
I
see
its
eyes
and
back
there
and
then
now
after
the
stalk,
if
you're
convinced
of
sort
of
moving
over
to
using
pod
man
for
your
continued
workloads,
I'm
gonna
do
a
pretty
quick
demo
on
how
you
can
copy
your
images.
B
Over
from
the
storage,
the
doctor
uses
on
your
system
to
the
storage
used
by
all
our
tools,
so
in
docker,
okay,
the
purpose
of
this
was
to
show
you
the
Ubuntu
image
in
here,
but
it's
for
you
you'll
see
it's
there,
so
I'm
gonna
scope,
this
go
if
you
copy
command
and
the
docker
demon
in
front
just
means
take
it
from
the
docker
storage
and
move
to
the
container
storage,
which
is
a
storage.
We
are
all
our
tools
use
and
then,
as
you
can
see,
it
should
be
there.
B
A
So
Olga
she
walked
us
through
all
these
tools
to
build
locally
and
finally,
the
most
important
step.
Is
you
want
to
run
these
containers
in
production
so
building
all
these
libraries
and
building
blocks?
We
asked
ourselves
a
question:
can
we
build
a
minimal
runtime
for
Cuban
artists
that
just
satisfies
the
CRI
using
the
OC
air
projects?
And
then
yes,
because
we
have
run
see
because
we
have
containers
image,
container
storage,
we
can
build
that
so
cryos
started
out
to
build
the
CRI
using
OCI,
hence
the
name
crown
so
here's
the
architecture
of
crime.
A
This
is
what
a
node
looks
like
when
you're
running
cry
was
a
container
runtime.
So
on
the
left
here
you
have
the
cubelet
cubelet
talks
to
cryo
VR,
the
CRI
G,
RPC,
API
and
CRI
has
two
different
services.
This
is
the
image
service
and
the
runtime
service.
The
image
services
is
responsible
for
pulling
down
images
that
are
required
by
a
pod.
So
we
use
the
containers
image
library
to
implement
the
image
service
and
the
runtime
service
is
actually
responsible
for
running
your
containers
and
pods.
A
So
for
that
we
use
the
storage
library
to
create
the
copy-on-write
file
system.
We
use
the
OCI
generator
library
to
create
a
config
dot,
JSON
that
runs
C
or
any
other
OCI
compatible.
Runtime
like
kada
containers
or
G
visor
can
use
and
then
finally,
for
networking
we
utilize
all
the
nice
work
done
by
the
cni
community.
So
any
CNI
compatible
plugin
works
with
cryo.
You
can
just
plug
it
in
through
the
configuration
and
on
the
top.
You
see
a
couple
of
parts,
let's
dive
into
that,
a
little
bit
more.
A
So
here's
a
view
of
the
pod
when
using
cryo.
So
pod
is
the
holder
of
the
IPC
in
network
and
the
print
namespaces,
and
each
pod
has
a
simpler
container,
which
could
be
your
bid
one.
So
it
can
reap
the
processes
inside
the
pod
and
on
top
of
each
container
you
have
this
utility
called
conman.
Now,
why
is
conman
required
so
because
of
the
way
OC
I
defined?
How
runs
he
ran?
See?
Containers
are
created
and
started.
A
We
need
a
small
monitoring
agent
so
that
we
can
capture
the
exit
code
of
the
container
and
so
Kahneman
also
does
other
duties.
Such
as
writing
out
logs
serving
attached
clients
holding
the
TTY
reporting
out
of
memory
notifications
on
the
container,
so
we
wrote
Kahneman
and
C,
and
the
reason
is
because
it
is
small
enough
and
since
we
need
to
run
it
for
every
container,
the
overall
memory
overhead
of
running
Kanban
is
very
low.
A
A
So
what
do
you
need
to
do
to
run
securely
in
a
production?
Cluster
secure,
defaults,
use,
read-only
container
file
systems,
so
your
container
process
cannot
write
inside
your
container
read/write
layer,
so
just
basically
get
rid
of
the
read/write
layer.
If
possible
and
like
all
containers
and
parts
should
be
writing
to
the
volumes
that
are
provisioned
by
cuban
it
is
are
not
using
the
read/write.
A
Secondly,
use
an
immutable
host
like
reddit
core
OS,
so
if
container
process
is
able
to
somehow
break
out
of
the
container,
they
are
not
able
to
make
changes
to
your
host
operating
system.
Secondly,
enable
fewer
capabilities.
So,
while
building
and
developing
containers
you
need
more
capabilities,
but
when
running
them
in
production,
you
don't
need
all
those
capabilities,
so
cryo
ships
with
Europe
of
capabilities
by
default
compared
to
like
pod
man
or
or
build
our
docker
or
anything
else,
you
need
for
development.
A
So
third
thing
is
user
name
spaces,
so
we
have
added
support
for
user
name
sisters
for
cryo.
However,
the
kubernetes
work
is
still
in
progress
and
as
soon
as
that
gets
merged
upstream
we'll
be
shipping
that
support.
Then
another
small
thing
is
Brits
limit.
Its
for
preventing
for
bombs,
so
one
of
the
runs
he
maintained-
has
added
that
support
to
the
kernel
and
it's
it's
set
by
default,
increment,
configurable
and
cryo
configuration
and
then
last,
but
not
the
least
selinux.
A
So
we
have
had
a
number
of
container
breakouts
over
the
past
two
three
years
and
most
of
the
times
the
answer
has
been
hey.
If
you
are
a
silliness
enabled,
then
you
are
protected,
you
don't
need
the
zero
day
is
not
going
to
affect
you,
and
this
includes
the
latest
run
CCV
that
that
came
out
last
month.
So
let's
switch
over
and
do
some
demos
next.
So
here
I
have
the
cryo
daemon
running
and
I
have
configured
Kuban.
It
is
local
cluster
to
talk
to
the
cryo
daemon.
A
A
A
So
we
talked
about
read-only
file
systems
earlier,
so
you
can
see
that
by
default,
it's
read-only
and
the
container
process
cannot
write
anything
to
the
inside
the
container.
And
how
is
this
set
up?
We
can
examine
the
crowded
cons
and
we
said
the
read-only
2d
to
true
by
default,
then
we
talked
about
capabilities,
so
you
can
observe
over
here
that
I
have
not
set
cap
net
raw.
So
cap
Nitro
allows
your
container
process
to
craft
any
packets,
and
that
has
been
the
source
of
vulnerabilities
in
the
past.
A
So
it's
a
good
idea
to
get
rid
of
it
by
default.
If
possible.
So
you
say:
I
don't
have
caps
Night
Raw,
then.
How
am
I
was
writing
going
to
work?
Well,
there's
a
way,
let's
see
if
we
can
get
it
to
work,
so
my
this
part
is
able
to
ping
the
other
part,
and
how
is
that
possible?
So
cryo
allows
you
to
set
sis
cuddles
by
default
and
there's
a
kernel
scuttle,
which
has
been
available
that
allows
you
to
enable
things,
even
though
you
don't
have
cap
Metro.
A
A
So
I'm
trying
to
launch
60
sleep
processes,
and
you
can
see
that
after
49
and
the
50th
is
my
own
shell
I'm
not
able
to
launch
processes
anymore,
and
the
reason
is
because
I've
set
my
pedal
limit
to
50
by
default
and
here's
the
setting
in
the
crowd
count.
That
shows
you
so
basically,
cryo
has
all
these
tunable
available
and
we
ship
by
secure
defaults.
So
your
containers
are
safer
in
production
and
there's
lesser
chances
of
exploits
affecting
you.
What
would
the
mitigations
for
the
run
CCV
that
came
out
last
month?
A
Well,
one
was
real
user
read-only
host
file
system.
So
even
if
the
container
breaks
out
it
can't
modify
binaries
on
your
host
OS.
So
you
can.
You
should
use
something
like
that
core
OS
or
any
operating
system
that
is
immutable
by
default.
Second,
is
run
non-privileged,
so
don't
run
your
containers
as
root,
so
we
saw
like
uber
and
Splunk
talk
about
how
they
had
to
make
changes
to
their
pods
because
they
wouldn't
run
directly
on
openshift.
B
So
these
are
all
the
resources
we
have
available.
We
have
websites
for
cryo
builder,
pod
man;
they
have
a
bunch
of
blogs
in
them
and
the
link
to
our
github
pages,
so
we're
obviously
always
looking
for
contributors.
If
you're
interested
in
helping
out
just
take
a
look
at
that,
and
we
have
a
pretty
cool
coloring
book
called
container
commandos,
it
sort
of
highlights
what
each
of
these
tools
does
in
a
very
simple
way
and
how
they
all
work.
B
Well
together,
we
don't
have
hard
copies,
unfortunately,
but
you
can
go
to
that
website
and
get
the
web
the
eCopy
and,
if
you're
interested
in
playing
on
the
script
yourself
and
doing
it
locally,
the
demo
script
lives
on
that
link
over
there.
So
you
can
always
pull
it
down.
It
does
the
whole
setup
and
everything
for
you
easily.
So
you
can
do
that.
That's
it
thanks.
Oh
one,
more
thing:
I
brought
stickers,
I'm
going
to
put
it
on
the
on
the
tape
and
there
right
now
table
outside
so
feel
free
to
grab
some.